NOTE: These FAQ's summarize your rights under the privacy laws that apply to the financial services industry in general. Laws regulating specific types of financial services, such as banking, insurance, or investments may provide some additional protections. For further information, you may consult the individual agency web pages listed under question #13.
I have been receiving privacy notices in the mail from my bank and credit union, finance company, insurance company, and investment firm. What is this all about?
In 1999 the Federal government passed a law called the Gramm-Leach Bliley Act. The law requires these institutions to send you a notice regarding your privacy rights by July 1, 2001. In the notices, the companies must tell you what information they collect about you and with whom they share that information. Further, they must offer you an opportunity to "opt-out" of having your information shared beyond exceptions provided by law.
Gramm-Leach-Bliley ("GLB") is also known as the Financial Services Modernization Act. It removed most of the legal barriers that previously existed between the banking, insurance, and securities industries. GLB established consumer privacy standards, including notice requirements, limits on information sharing, and requirements to protect the confidentiality and security of personal information.
Banks, credit unions, mortgage companies, finance companies, insurance companies, insurance agents, and investment firms are all subject to Gramm-Leach-Bliley. The law also applies to some retailers and automobile dealers that collect and share information about consumers to whom they extend credit or for whom they arrange credit.
"Opt out" means that you have an opportunity to say no ("opt out") before a financial institution shares information about you. Generally, Gramm-Leach-Bliley requires that consumers be given the right to "opt out" before personal information about them is shared with companies outside of the corporate family. If you exercise your right to "opt out," then (with the limited exceptions discussed below) the institution may not share nonpublic personal information about you with companies that are not part of the same parent organization. It is up to you to tell the company if you don't want your personal financial information shared without your permission. If you do not opt out, the company may share information with third parties in the way they describe in the notice it sends you.
There are certain uses of nonpublic personal information for ordinary business purposes that are exceptions to the "opt out" right. These are often described in generic terms in privacy notices, using language such as "disclosures permitted by law." For example, personal information about you may be disclosed to carry out a transaction you have requested, to service your account, to prevent fraud, as part of an examination by regulators, or to an auditor, rating agency, or prospective buyer of the institution. In addition, information other than health information may be shared within the corporate family or under joint marketing agreements with other institutions. In all these cases, the third party receiving the personal information must protect its confidentiality and may not use or disclose the information for other purposes.
Any information that the institution may share with companies outside of the corporate family must be described in the privacy notice you receive. The types of personal financial information that may be shared if you do not opt out include:
- Information you put on an application to obtain a loan, credit card, or other financial product or service;
- Account balance information, payment history, overdraft history, investments purchased or owned and credit or debit card purchase information;
- The fact that you are a customer;
- Any information provided by you in connection with collecting or servicing a loan;
- Information provided by you for purposes of analyzing your investments;
- Information collected through an Internet "cookie";
- Information from a consumer report.
GLB requires the institution to give you a privacy notice that describes the types of information collected by the institution and if the institution might share your information, the types of businesses with whom the information might be shared. This notice must first be provided to existing customers by July 1, 2001 and then once a year after that. If you begin to do business with an institution after July 1, 2001, the notice must be given at the time the account is opened and then once a year.
This notice must also tell you how to exercise your right to "opt out" or say "no" to sharing your information. The institution may require you to return a form they send you or they may give you a toll free telephone number to call. However, the institution cannot require that you write your own letter as the only way to opt out of information sharing. If the institution does not provide an opportunity to "opt-out", then it cannot share your information except as specifically permitted by law in the ordinary course of business.
Finally, the notice must also tell you how the institution will protect the confidentiality and security of your information.
Can I still protect my personal financial information under an "opt out" standard and prohibit the sharing of that information?
Yes. If you exercise your right to "opt out," then an institution may not share your personal financial information, unless it is otherwise permitted under state or federal law. Some provisions of Maine law provide considerable civil money penalties for institutions that violate these confidentiality requirements. Banks, for example, could be fined up to $10,000 per violation.
If you choose to opt out, that choice is effective until you revoke it in writing.
Yes. A consumer can opt out at any time, but it will only affect the future sharing of information and will not be retroactive.
GLB requires that the notices be clear and conspicuous, and that they accurately explain the right to opt out. If an institution does not comply with the privacy requirements or does not provide clear disclosures, the State may investigate, bring an enforcement action, or assess fines. If you don't understand a privacy notice, you may contact the company that sent it to you or you may contact the agencies below for assistance.
You should contact the institution involved to request a new notice.
Are there any other steps that I can take to protect my privacy and limit the sharing of personal information?
Yes, existing state and federal laws give you the right to reduce or eliminate telemarketing calls, unsolicited e-mails and pre-screened credit offers.
- To prevent pre-screened offers from all three major credit reporting agencies: Call 1-888-5-OPT-OUT (1-888-567-8688).
- One major credit reporting agency (Experian) also permits you to opt out of receiving marketing and promotional information from its clients. Call 1-800-407-1088.
- To avoid unwanted phone calls from many national marketers, send your name, address and phone number to Direct Marketing Association (DMA), Telephone Preference Service, PO Box 9014, Farmingdale, NY 11735-9014.
- To remove your name from national direct mail lists, write Direct Marketing Association, Mail Preference Service, PO Box 9008, Farmingdale, NY 11735-9008.
- To remove your e-mail address from many national direct e-mail lists, follow the instructions found at DMA's e-mail preference service website, www.e-mps.org.
- Regarding driver's license information, the Maine Secretary of State's Office no longer shares such information with marketing or promotional companies. You only need to contact the Bureau of Motor Vehicles if you wish to "opt in," to permit the sharing of that information.
The following agencies within the Department of Professional and Financial Regulation are available to assist you:
For questions about banks and credit unions, contact the Bureau of Financial Institutions: 1-800-965-5235; Internet website: www.maine.gov/pfr/financialinstitutions/
For questions about insurance companies or insurance agents, contact the Bureau of Insurance: 1-800-300-5000; Internet website: www.maine.gov/pfr/insurance
For questions about mortgage companies, finance companies, automobile dealers and other providers of consumer credit contact the Office of Consumer Credit Regulation: 1-800-332-8529; Internet website: www.maine.gov/pfr/consumercredit/
For questions about investment firms and securities issues contact the Office of Securities: 1-877-624-8551; Internet website: www.maine.gov/pfr/securities/.
Insurance Specific Questions
How are the privacy rights of insurance consumers different from privacy rights in other financial markets?
Because insurance business requires a more extensive use of sensitive personal information than most other financial services, the Maine Insurance Information and Privacy Protection Act provides some additional consumer protections above and beyond those discussed in the general frequently asked questions. These protections currently apply to life and health insurance and will apply to all consumer lines of insurance (like auto and homeowners) effective September 21, 2001:
- In addition to health information, information about character, personal habits, style of living, or general reputation may not be disclosed to non-affiliated third parties for marketing purposes without your written consent.
- You have the right to obtain access to recorded personal information that the regulated insurance entity has, to request correction if you think the information is inaccurate, and to add a rebuttal statement to the file if there is a dispute between you and the insurance company.
- You also have the right to know the reasons why a company made an unfavorable decision when they reviewed your application for insurance.
For life and health insurance consumers (including disability, long-term care, and Medicare Supplement), there is very little change in the law. The Maine Privacy Act has been in place for several years and is one of the strongest insurance consumer privacy laws in the nation. In most respects, the state law already equals or exceeds the requirements of the federal Gramm-Leach-Bliley Act. Under the federal law one of the new requirements is that notices to consumers must now be sent every year instead of every two years. Also, changes this year primarily affect homeowner's insurance, personal auto insurance, and other personal property and casualty lines. These lines of insurance will also become subject to the Maine Privacy Act effective September 21, 2001, as a result of recently passed state legislation. In the meantime, property and casualty companies that had not already adopted similar practices on a voluntary basis became subject to the notice and confidentiality requirements of the federal law on July 1.
Except for certain limited purposes such as underwriting and claims processing where it is necessary to collect and use health information, companies cannot share health information without your specific written permission.
There are two changes to the consumer privacy laws this year, one at the federal level and one at the state level. Both of these changes involve the entire financial services market and are not specifically directed at insurance. The insurance part of the new state law extends the protections of the existing Privacy Act (which is currently limited to life and health insurance) to include all personal lines of insurance.
The new federal privacy law establishes a minimum set of nationwide standards that applies to all states and all types of financial services. State privacy laws which provide equal or better consumer protection, such as the confidentiality provisions of the Maine Privacy Act, stay in place and are not affected by Gramm-Leach-Bliley.
Prepared by the Department of Professional & Financial Regulation July 5, 2001